Back
Technology

New Android Malware 'Perseus' Targets User Notes for Sensitive Data

Generated on: Last updated: 1 sources
View source

Perseus Android Malware Exploits Notes for Sensitive Data

A new and potent Android malware, named Perseus, has emerged, specifically engineered to pilfer highly sensitive personal information. It is designed to extract critical data, including passwords, recovery phrases, and financial details, directly from user-curated notes.

Perseus uniquely targets information stored in popular note-taking applications, posing a significant risk to digital privacy.

Distribution and Attack Capabilities

Perseus primarily spreads through unofficial app stores, frequently disguised as legitimate IPTV applications. This malware capitalizes on users' willingness to sideload APKs when seeking free or low-cost access to content, such as live sports broadcasts via apps like Roja Directa TV. This distribution method has been active for the past eight months and has also been observed in spreading other threats, including the Massiv Android banking malware.

Once active, Perseus grants attackers comprehensive control over the infected device. Its capabilities include:

  • Complete device takeover
  • Screenshot capturing
  • Overlay attacks

Global Targets and Malware Origins

ThreatFabric researchers have identified Perseus's primary targets as financial institutions across several countries:

  • Turkey: 17 institutions
  • Italy: 15 institutions
  • Poland: 5 institutions
  • Germany: 3 institutions
  • France: 2 institutions

Beyond traditional banking, it also targets nine different cryptocurrency applications.

The malware is built upon the Phoenix codebase, which itself originates from the six-year-old Cerberus code. Perseus exists in two distinct versions: one in Turkish and a more sophisticated English variant. The English version notably includes advanced debugging and logging features, with emojis embedded in the code that suggest the potential use of AI tools in its development.

Unprecedented Threat: Scanning Personal Notes

Perseus introduces a particularly concerning and unique feature: its explicit targeting of Android note-taking applications. These include widely used apps such as Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes.

Researchers emphasize that this is the first documented instance of Android malware specifically checking personal notes for sensitive details.

The more refined English variant of Perseus leverages Android's Accessibility Services to systematically open and meticulously scan individual notes within these applications for valuable data.

Evasion Tactics and User Protection

Before fully executing its malicious payload, Perseus employs a series of sophisticated anti-analysis and evasion checks. These include:

  • Assessing root status
  • Checking for emulator fingerprints
  • Analyzing SIM card details
  • Verifying Google Play Services availability

The malware then calculates a 'suspicion score,' which is transmitted to its command-and-control panel. This score plays a crucial role in informing operators' decisions on whether to proceed with data theft, allowing them to avoid detection in scrutinized environments.

To protect against Perseus and similar threats, users are strongly advised to adhere to the following security practices:

  • Avoid sideloading APKs from unofficial sources.
  • Only download streaming and other applications from the official Google Play Store.
  • Maintain an active Google Play Protect service.
  • Regularly use Google Play Protect for device scans.

Strictly limiting app downloads to the official Google Play Store is the most effective defense against malware distributed via unofficial channels.